Changeset 277 for trunk/wifidog/src/fw_iptables.c

Timestamp:

11/18/04 17:22:51 (9 years ago)

Author:

alexcv

Message:

ping_thread now detects when auth_servers change IPs and reset the firewall
rules accordingly. Additional hooks in the firewall code to do this. Also,
if we change primary auth_server, we reset the list, jsut in case the IP
for the next auth_server was stale. That's done in conf.c.

Files:

• trunk/wifidog/src/fw_iptables.c (modified) (7 diffs)

trunk/wifidog/src/fw_iptables.c

@@ -73 +73 @@
 }
 
+void
+iptables_fw_clear_authservers(void)
+{
+    iptables_do_command("-t nat -F " TABLE_WIFIDOG_AUTHSERVERS);
+}
+
+void
+iptables_fw_set_authservers(void)
+{
+    s_config *config;
+    t_auth_serv *auth_server;
+   
+    config = config_get_config();
+    
+    LOCK_CONFIG();
+    
+    iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS);
+    for (auth_server = config->auth_servers; auth_server != NULL;
+                    auth_server = auth_server->next) {
+        iptables_do_command("-t nat -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->authserv_hostname);
+    }
+
+    UNLOCK_CONFIG();
+}
+
 /** Initialize the firewall rules
  */
@@ -79 +104 @@
 {
     s_config *config;
-    t_auth_serv *auth_server;
    
     config = config_get_config();
     fw_quiet = 0;
     
-    LOCK_CONFIG();
-    
-    iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS);
-    for (auth_server = config->auth_servers; auth_server != NULL;
-                    auth_server = auth_server->next) {
-        iptables_do_command("-t nat -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->authserv_hostname);
-    }
-
-    UNLOCK_CONFIG();
-
+    iptables_fw_set_authservers();
+
+    LOCK_CONFIG();
+    
     iptables_do_command("-t nat -N " TABLE_WIFIDOG_VALIDATE);
     iptables_do_command("-t nat -A " TABLE_WIFIDOG_VALIDATE " -j " TABLE_WIFIDOG_AUTHSERVERS);
     iptables_do_command("-t nat -A " TABLE_WIFIDOG_VALIDATE " -d %s -j ACCEPT", config->gw_address);
+
+    UNLOCK_CONFIG();
 
     /** Insert global rules BEFORE the "defaults" */
@@ -113 +133 @@
     iptables_do_command("-t nat -A " TABLE_WIFIDOG_VALIDATE " -j DROP");
 
+    LOCK_CONFIG();
+    
     iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN);
     iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS);
     iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -d %s -j ACCEPT", config->gw_address);
 
+    UNLOCK_CONFIG();
+    
     /** Insert global rules BEFORE the "defaults" */
 
@@ -122 +146 @@
     iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 67 -j ACCEPT");
     iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p udp --dport 53 -j ACCEPT");
+
+    LOCK_CONFIG();
+    
     iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", config->gw_port);
+
+    UNLOCK_CONFIG();
+    
     iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j DROP");
 
@@ -135 +165 @@
 
     iptables_do_command("-t nat -N " TABLE_WIFIDOG_CLASS);
+
+    LOCK_CONFIG();
+    
     iptables_do_command("-t nat -A " TABLE_WIFIDOG_CLASS " -i %s -m mark --mark 0x%u -j " TABLE_WIFIDOG_VALIDATE, config->gw_interface, FW_MARK_PROBATION);
     iptables_do_command("-t nat -A " TABLE_WIFIDOG_CLASS " -i %s -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, config->gw_interface, FW_MARK_KNOWN);
@@ -147 +180 @@
     iptables_do_command("-t mangle -I FORWARD 1 -i %s -j " TABLE_WIFIDOG_INCOMING, config->external_interface);
 
+    UNLOCK_CONFIG();
+    
     return 1;
 }
@@ -170 +205 @@
     iptables_do_command("-t nat -F " TABLE_WIFIDOG_KNOWN);
     iptables_do_command("-t nat -F " TABLE_WIFIDOG_LOCKED);
+    iptables_do_command("-t nat -X " TABLE_WIFIDOG_AUTHSERVERS);
     iptables_do_command("-t nat -X " TABLE_WIFIDOG_VALIDATE);
     iptables_do_command("-t nat -X " TABLE_WIFIDOG_UNKNOWN);